Hello Kitty, Goodbye Privacy as 3M+ Users Hit by Breach

Written by

The personal information of over three million Hello Kitty customers has been found online by security researchers over the weekend.

The database in question was found by security bod Chris Vickery and relates to the Japanese cartoon character’s online community sanriotown.com, although those who registered accounts through hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com are also affected.

Vickery told Salted Hash that the information exposed included full names, birth dates, gender, email and password hint questions and answers.

Birthday data was encoded but easily reverse engineered, while unsalted SHA-1 password hashes were also used—particularly bad information security practice.

Sanrio and the ISP used to host the database were informed of the incident, which is thought to be the result of an improperly configured MongoDB database.

The same problems resulted in privacy snafus for several websites recently including MacKeeper (13 million records) and HIV-positive dating service Hzone.

Given that Hello Kitty is popular with youngsters it’s possible that the personal details of children have been exposed in this incident, just as they were in the major VTech breach recently.

Brian Spector, CEO of internet security firm MIRACL, told Infosecurity that any Hello Kitty fans caught up in this should immediately change their passwords for the site, and any others which they share the same credentials for.

“Businesses should strive to use authentication technologies that eliminate the risk of username/password database breaches,” he added.

Mark James, security specialist at Eset, argued that hackers may have a higher success rate when cashing in on stolen data belonging to children.

“As adults we get inundated with emails to click here or sign up here and most thankfully end up in the recycle bin. But children are a lot more susceptible to that email that reads ‘Click here—for that new in-game item’ or new website that promises to give them something they don’t already have but need to own,” he told Infosecurity.

“The fact that our children are getting their own email addresses and having access to a lot more online devices younger and younger poses a real threat when this type of data is found in the ethers of shady servers or websites.”

It’s also been suggested that identity fraud attacks on kids are more dangerous as parents typically don’t monitor their children’s credit record, so it might not be found out for years.

“Companies need to understand that all data has a value, especially information about minors. I know it’s easy to state that an adult must help you sign up and a minimum age is required to use your services but when has that ever stopped someone?” argued James.

“Yes, we are responsible for our children, but you are also responsible for doing as much as you possibly can to protect that data if you’re going to request and store it electronically.”

Photo © dean bertoncelj

What’s hot on Infosecurity Magazine?